; -*- Mode: Scheme; tab-width: 4 -*-
;
; Copyright (c) 2007 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without 
; modification, are permitted provided that the following conditions are met:
;
; 1.  Redistributions of source code must retain the above copyright notice, 
;     this list of conditions and the following disclaimer. 
; 2.  Redistributions in binary form must reproduce the above copyright notice, 
;     this list of conditions and the following disclaimer in the documentation 
;     and/or other materials provided with the distribution. 
; 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of its 
;     contributors may be used to endorse or promote products derived from this 
;     software without specific prior written permission. 
;
; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 
; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 
; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
;
;############################################################################

(version 1)

; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
; Apple SPI (System Private Interface) and are subject to change at any time without notice.
; Apple may in future announce an official public supported sandbox API, but until then Developers
; are cautioned not to build products that use or depend on the sandbox facilities illustrated here.

; Use "debug all" to log all operations examined by seatbelt, whether allowed or not.
; Use "debug deny" to log only operations that are denied by seatbelt
; to discover what specific attempted operation is causing an exception.

;(debug all)
(debug deny)

; To help debugging, "with send-signal SIGFPE" will trigger a fake floating-point exception,
; which will crash the process and show the call stack leading to the offending operation.
; For the shipping version "deny" is probably better because it vetoes the operation
; without killing the process.

(deny default)
;(deny default (with send-signal SIGFPE))

; Special exception: "send-signal" command does not apply to the mach-* operations,
; so for those we have to use a plain unadorned "deny" instead
; (which means we may not get any notification of unintentional mach-* denials)
(deny mach-lookup)
(deny mach-priv-host-port)

; Mach communications
; These are needed for things like getpwnam, hostname changes, & keychain
(allow mach-lookup (global-name
					"com.apple.bsd.dirhelper"
					"com.apple.distributed_notifications.2"
					"com.apple.ocspd"
					"com.apple.PowerManagement.control"
					"com.apple.mDNSResponderHelper"
					"com.apple.SecurityServer"
					"com.apple.SystemConfiguration.configd"
					"com.apple.system.DirectoryService.libinfo_v1"
					"com.apple.system.DirectoryService.membership_v1"
					"com.apple.system.notification_center"
					"com.apple.system.logger"
					"com.apple.webcontentfilter.dns"
					"com.apple.server.bluetooth"
					"com.apple.awacs"
					"com.apple.blued"))

; Rules to allow the operations mDNSResponder needs start here

(allow signal (target self))
(allow network*)			; Allow networking, including Unix Domain Sockets
(if (defined? 'system-socket)
    (allow system-socket))  ; To create raw sockets
(allow sysctl-read)			; To get hardware model information
(allow sysctl-write)		; Needed for CFSocket
(allow file-read-metadata)	; Needed for dyld to work
(allow ipc-posix-shm)		; Needed for POSIX shared memory

(allow file-read-data                 (regex #"^/dev/random$"))
(allow file-read-data file-write-data (regex #"^/dev/console$"))		; Needed for syslog early in the boot process
(allow file-read-data                 (regex #"^/dev/autofs_nowait$"))	; Used by CF to circumvent automount triggers
(allow file-read-data                 (regex #"^/private/etc/hosts$"))			; /etc/hosts support
(allow file-read-data                 (regex #"^/private/etc$"))				; /etc/hosts support

; Allow us to read and write our socket
(allow file-read*     file-write*     (regex #"^/private/var/run/mDNSResponder$"))

; Allow us to read system version, settings, and other miscellaneous necessary file system accesses
(allow file-read-data                 (regex #"^/dev/urandom$"))
(allow file-read-data                 (regex #"^/usr/sbin(/mDNSResponder)?$"))		; Needed for CFCopyVersionDictionary()
(allow file-read-data                 (regex #"^/usr/share/icu/.*$"))
(allow file-read-data                 (regex #"^/usr/share/zoneinfo/.*$"))
(allow file-read-data                 (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist$"))
(allow file-read-data                 (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.nat\.plist$"))
(allow file-read-data                 (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist$"))
(allow file-read-data                 (regex #"^/Library/Preferences/com\.apple\.security.*\.plist$"))
(allow file-read-data                 (regex #"^/Library/Preferences/com\.apple\.crypto\.plist$"))
(allow file-read-data                 (regex #"^/Library/Security/Trust Settings/Admin\.plist$"))
(allow file-read-data                 (regex #"^/System/Library/CoreServices/SystemVersion.*$"))
(allow file-read-data                 (regex #"^/System/Library/Preferences/com\.apple\.security.*\.plist$"))
(allow file-read-data                 (regex #"^/System/Library/Preferences/com\.apple\.crypto\.plist$"))
(allow file-read-data                 (regex #"^/System/Library/SystemConfiguration/PowerManagement\.bundle(/|$)"))
(allow file-read-data                 (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.PowerManagement\.plist$"))
(allow file-read-data                 (regex #"^/private/var/preferences/SystemConfiguration/preferences\.plist$"))

; Allow access to System Keychain
(allow file-read-data                 (regex #"^/System/Library/Security$"))
(allow file-read-data                 (regex #"^/System/Library/Keychains/.*$"))
; We just need access to System.keychain. But we don't want errors logged if other keychains are
; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
; connection. Instead of adding access to it here(to things which we don't need), we disable any
; logging that might happen during the access
(deny  file-read-data                 (regex #"^/Library/Keychains/") (with no-log))
(allow file-read-data                 (regex #"^/Library/Keychains/System\.keychain$"))
; Our Module Directory Services cache
(allow file-read-data                 (regex #"^/private/var/tmp/mds/"))
(allow file-read* file-write*         (regex #"^/private/var/tmp/mds/[0-9]+(/|$)"))
(allow file-read-data                 (regex #"^/private/var/db/mds/"))
(allow file-read* file-write*         (regex #"^/private/var/db/mds/[0-9]+(/|$)"))
(allow file-read* file-write*         (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)"))
(allow file-read* file-write*         (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")) ; Required on 10.5 and 10.6
; CRL Cache for SSL/TLS connections
(allow file-read-data                 (regex #"^/private/var/db/crls/crlcache\.db$"))

; For mDNS sleep proxy offload and IOPMConnectionCreate
(if (defined? 'iokit-open)
   (begin
     (allow iokit-open (iokit-user-client-class "NVEthernetUserClientMDNS"))
     (allow iokit-open (iokit-user-client-class "mDNSOffloadUserClient"))
     (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))))

; For D2D
(allow file-read-data (regex #"^/System/Library/PrivateFrameworks/DeviceToDeviceManager.framework(/|$)"))
(allow file-read-data (regex #"^/System/Library/PrivateFrameworks/MobileBluetooth.framework(/|$)"))
(allow file-read-data (regex #"^/System/Library/Frameworks/CoreFoundation.framework(/|$)"))
(allow file-read-data (regex #"^/System/Library/Frameworks/SystemConfiguration.framework(/|$)"))
(allow file-read-data (regex #"^/System/Library/Frameworks/IOKit.framework(/|$)"))
(allow file-read-data (regex #"^/System/Library/Frameworks/Security.framework(/|$)"))
(allow file-read-data file-write-data file-ioctl (regex #"^/dev/dtracehelper$"))

; For WebFilterDNS framework
(allow file-read-data (regex #"^/System/Library/PrivateFrameworks/WebFilterDNS.framework(/|$)"))
